I'm trying to come up with some more custom health queries that address a bit of a range of issues. The way I look at it, there has to be a good way to track the health of a rule, specifically by looking at the contributing log sources, and their parsing health.
I designed a relatively basic search that displays something relatively similar to what I need, except I'm not entirely sure that the data can be stitched together.
The premise I have is as follows:
Parsing, or health issues a log source will create unexpected behavior, that should, in theory, trickle down to the unparsed v. parsed event count by each log source. I'd like to show the difference in parsed v. unparsed (isunparsed,unknown event count,$whatever_works_best$ by log source.
Here's a sample of what I'd like to see:
Time/Time Range, Log Source Type, count(*), isunparsed,last_time_period
timefoo1,Log Source Bar,32000,true,y
timefoo2,Log Source Bar,2000,false,n
timefoo3,Log Source Foo,20000,false,y
timefoo4,Log Source Foo,0,true,n
OR
Time/Time Range, Log Source Type, last_count(*),diff_between_periods,uparsed_count
timefoo1,Log Source Bar,32000,30000
timefoo2,Log Source Foo,20000,0
Once this is complete, I'm wondering if I can add the unique count of rules that the log source contributes to, and potentially a separate query for a juxtaposed dashboard pane that shows Log sources and the number of rules they contribute to.
#QRadar#Support#SupportMigration